b'\x0cFY 2009 OFFICE OF INSPECTOR GENERAL\nFISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n  TECHNOLOGY SECURITY PROGRAM\n  REPORT NUMBER A090126/O/T/F09011\n\n          September 30, 2009\n\x0c\x0c\x0c                                    FY 2009 OFFICE OF INSPECTOR GENERAL\n                                    FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                      TECHNOLOGY SECURITY PROGRAM\n                                      REPORT NUMBER A090126/O/T/F09011\n\n                                                      TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY ........................................................................................................... i\n\n   Purpose......................................................................................................................................... i\n   Background .................................................................................................................................. i\n   Results in Brief ........................................................................................................................... ii\n   Recommendations ...................................................................................................................... iii\n   Management Comments ............................................................................................................ iv\n\nINTRODUCTION......................................................................................................................... 1\n\nRESULTS OF AUDIT .................................................................................................................. 2\n\n   Improvements to Agency-wide Certification and Accreditation Processes Would\n   Better Assist Management and Provide Additional Information for\n   Making Risk-based Decisions..................................................................................................... 3\n\n   Security Controls for Internal GSA Applications Should Be Strengthened to\n   Reduce Risks with Sensitive Agency Information and Transactions ......................................... 4\n\n   Enhancing Oversight of Emerging Social Media Technologies Could\n   Facilitate Secure Collaboration and Information Sharing\n   Within GSA and With the Public................................................................................................ 5\n\n   Strengthening Oversight Processes is Needed to Ensure the Security of\n   Contractor Supported Systems .................................................................................................... 7\n\nCONCLUSIONS ........................................................................................................................... 9\n\nRECOMMENDATIONS .............................................................................................................. 9\n\nMANAGEMENT COMMENTS ............................................................................................... 10\n\nINTERNAL CONTROLS .......................................................................................................... 10\n\x0c                                                          Appendices\n\nAPPENDIX A - Objective, Scope, and Methodology ............................................................. A-1\n\nAPPENDIX B \xe2\x80\x93 Select GSA Systems Considered in the OIG\xe2\x80\x99s FY 2009\nReview of GSA\xe2\x80\x99s Information Technology Security Program ................................................ B-1\n\nAPPENDIX C \xe2\x80\x93 Summary of NIST SP 800-53 Control Areas Where Additional Steps are\nNeeded to Better Manage Risks for the Select Systems Reviewed\nby the OIG in FY 2009 ........................................................................................................... C-1\n\nAPPENDIX D \xe2\x80\x93 Summary of Security Control Weaknesses Identified in\nInternal GSA Applications ...................................................................................................... D-1\n\nAPPENDIX E \xe2\x80\x93 GSA-CIO\xe2\x80\x99s Response to Draft Report ..........................................................E-1\n\nAPPENDIX F \xe2\x80\x93 Report Distribution ........................................................................................ F-1\n\x0c                            FY 2009 OFFICE OF INSPECTOR GENERAL\n                            FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                              TECHNOLOGY SECURITY PROGRAM\n                              REPORT NUMBER A090126/O/T/F09011\n\n                                       EXECUTIVE SUMMARY\n\nPurpose\n\nThe Federal Information Security Management Act of 2002 (FISMA) 1 provides: (1) a framework\nfor ensuring the effectiveness of information security controls over information resources that\nsupport Federal operations and assets; (2) for the development and maintenance of minimum\ncontrols required to protect Federal information and information systems; and (3) a mechanism for\nimproved oversight of Federal agency information security programs. Inspectors General (IGs)\nare required by FISMA to perform an annual independent evaluation to determine the\neffectiveness of their respective agency\xe2\x80\x99s information security program, including testing a subset\nof the agency\xe2\x80\x99s information systems. The objective of this audit was to determine if the General\nServices Administration (GSA) had developed, documented, and implemented an agency-wide\ninformation security program to provide information security for the data and systems that support\nthe operations and assets of the Agency. If not, what additional actions are needed to strengthen\ninformation security risk management practices for GSA? Appendix A contains our objective,\nscope, and methodology for the audit.\n\nBackground\n\nInformation security is a critical consideration for GSA as it carries out its mission and responds to\nthe requirements of the American Recovery and Reinvestment Act of 2009 (Recovery Act). 2\nInformation security is also important as GSA works to implement transparency and open\ngovernment initiatives to make Agency operations more transparent, participatory, and\ncollaborative. To meet its mission, GSA relies on a portfolio of 94 information systems with a\ntotal enacted budget in FY 2009 of approximately $540 million. 3 GSA has established an agency-\nwide IT security program, which is managed by the Office of the Chief Information Officer, to\nprovide for the confidentiality, integrity, and availability of Agency information systems.\n\nAn agency-wide IT security program provides a management framework for ensuring that risks\nare understood and that effective controls are selected and properly implemented for Agency\ninformation systems. FISMA is the primary legislation governing Federal information security\nprograms, and it builds upon earlier legislation through added emphasis on the management of\ninformation security. FISMA directs agencies to develop, document, and implement an agency-\nwide information security program to provide information security for the operations and assets of\nthe agency. Table I below provides the components that must be included in agency information\nsecurity programs, as required by FISMA. FISMA also directs IGs to perform an annual\nindependent evaluation to determine the effectiveness of information security programs and\n\n\n1\n  Title III of the Electronic Government Act of 2002 (Public Law 107-347).\n2\n  American Recovery and Reinvestment Act of 2009, Public Law 111-5, February 17, 2009.\n3\n  As reported on the IT Dashboard.\n\n                                                       i\n\x0cpractices of their respective agency. These evaluations are to include: (1) testing of the\neffectiveness of information security policies, procedures, and practices of a subset of the agency\xe2\x80\x99s\ninformation systems; and (2) an assessment of compliance with FISMA requirements and related\ninformation security policies, procedures, standards, and guidelines.\n\n                       Table I: FISMA Information Security Program Areas\n\n  Program Area                                      FISMA Requirement\n                   Periodic assessments of the risk and magnitude of the harm that could result from the\n       Risk        unauthorized access, use, disclosure, disruption, modification, or destruction of\n    Assessment     information and information systems that support the operations and assets of the\n                   agency.\n                   Policies and procedures that (1) are based on risk assessments; (2) cost-effectively\n   Policies and    reduce information security risks to an acceptable level; and (3) ensure that\n   Procedures      information security is addressed throughout the life cycle of each agency\n                   information system.\n                   Subordinate plans for providing adequate information security for networks,\n     Planning\n                   facilities, and systems or groups of information systems, as appropriate.\n                   Security awareness training to inform personnel, including contractors and other\n     Security      users of information systems that support the operations and assets of the agency, of:\n    Awareness      (1) information security risks associated with their activities; and (2) their\n     Training      responsibilities in complying with agency policies and procedures designed to reduce\n                   these risks.\n     Periodic      Periodic testing and evaluation of the effectiveness of information security policies,\n    Testing and    procedures, and practices, to be performed with a frequency depending on risk, but\n    Evaluation     no less than annually.\n                   A process for planning, implementing, evaluating, and documenting remedial action\n   Remediation\n                   to address any deficiencies in the information security policies, procedures, and\n     Process\n                   practices of the agency.\n    Incident       Procedures for detecting, reporting, and responding to security incidents, consistent\n   Management      with standards and guidelines.\n   Continuity of   Plans and procedures to ensure continuity of operations for information systems that\n    Operations     support the operations and assets of the agency.\n\nThis audit report presents the results of the GSA Inspector General\xe2\x80\x99s FY 2009 independent\nevaluation of GSA\xe2\x80\x99s IT Security Program, as required by FISMA, and reflects results from system\nsecurity audits conducted during the year. Appendix B provides a description of the select GSA\nsystems considered in our annual FISMA review.\n\nResults in Brief\n\nGSA has taken steps to develop, document, and implement an agency-wide information\ntechnology (IT) security program and also provide information security for the operations and\nassets managed by the Agency. The GSA Chief Information Officer recently revised agency-wide\nIT security policy and has published several new guides to support risk management activities for\nIT systems and to address prior years\xe2\x80\x99 audit findings. We also noted improvements in the\nimplementation of GSA\xe2\x80\x99s IT Security Program for select agency systems. However, we found\nareas where additional improvements are needed in GSA\xe2\x80\x99s IT Security Program and instances\n\n                                                    ii\n\x0cwhere system security officials\xe2\x80\x99 practices did not mitigate risks and protect sensitive Agency data\nand systems, as required. IT security findings for our annual FISMA review fall into four main\nareas: (1) certification and accreditation of system controls, (2) internal application security, (3)\nsecurity of social media technologies (e.g., blogs, wikis), and (4) oversight of systems provided by\ncontractors.     Further, Appendix C summarizes security control areas where we found\nimprovements were needed to better manage risks for specific GSA systems, including for access\ncontrol, audit logging and monitoring, and secure configuration of system devices.\n\nImprovements in these areas could provide management with additional information to make risk-\nbased decisions on the security of GSA\xe2\x80\x99s IT systems, including those provided by contractors.\nFurther, focusing IT security program efforts to address risks in these key areas could result in\nbetter protection of sensitive Agency information and transactions, including personally\nidentifiable and Federal buildings information. Under the Recovery Act, GSA has been given\napproximately $5.8 billion for construction and renovation of Federal buildings and improving the\nfuel efficiency of government vehicles. This money must be spent with increased speed and\ntransparency, and GSA will rely on its information systems to track, report, and manage Recovery\nAct funds and information. Working with system security officials across GSA to address the risk\nareas highlighted in this report can better enable GSA to meet its security objectives and the\nrequirements of the Recovery Act with speed and transparency.\n\nRecommendations\n\nTo improve GSA\xe2\x80\x99s IT Security Program and better ensure the security of Agency systems, data,\nand operations, we recommend that the GSA Chief Information Officer take actions to:\n\n   1. Strengthen system certification and accreditation (C&A) processes by:\n\n           a. Developing language to be included in C&A contracts for the provision of adequate\n              details on methods used to conclude on the effectiveness of system security\n              controls and updating Agency security guidance accordingly.\n           b. Enhancing oversight processes to ensure that detailed information on testing\n              procedures and methodologies is provided in system C&A packages.\n           c. Collaborating with system security officials to ensure that system boundaries and\n              controls for minor applications are adequately considered with C&A activities.\n\n   2. Enhance the security of internal applications by working with GSA Services/Staff\n      Offices/Regions to:\n\n           a. Develop and maintain an inventory of internal applications, including the data\n              maintained and functions performed by these applications.\n           b. Ensure that these applications, including those we have identified in Appendix D,\n              meet GSA security requirements.\n           c. Strengthen change management procedures to better ensure that applications are\n              put in operation with appropriate security controls.\n\n\n\n\n                                                 iii\n\x0c   3. Improve security of GSA\xe2\x80\x99s social media technologies, such as blogs and wikis, by:\n\n          a. Reviewing all Agency-operated social media sites to ensure that appropriate access\n             controls are established for creation and maintenance of such sites.\n          b. Incorporating the Agency\xe2\x80\x99s social media policy into security awareness training\n             and rules of behavior.\n          c. Ensuring that periodic security reviews of social media sites are performed.\n\n   4. Work with the Chief Human Capital Officer, Chief Acquisition Officer, and other Agency\n      officials, as appropriate, to enhance the security of systems supported by contractors by:\n\n          a. Developing an inventory of contractors supporting GSA IT systems that have\n             significant privacy information responsibilities.\n          b. Ensuring that appropriate security awareness and privacy training is provided to\n             contractors supporting GSA systems, including role-based training for contractors\n             with significant privacy information responsibilities.\n          c. Prioritizing ongoing efforts to analyze and mitigate the use of non-government\n             domains for GSA systems by focusing on systems provided by contractors as\n             managed service offerings.\n          d. Ensuring that appropriate privacy clauses are included in contracts, statements of\n             work, and task orders for Privacy Act systems.\n\nManagement Comments\n\nThe GSA Chief Information Officer concurred with the audit findings and recommendations\noutlined in this report. A copy of the Chief Information Officer\xe2\x80\x99s comments is included in its\nentirety in Appendix E.\n\n\n\n\n                                              iv\n\x0c                              FY 2009 OFFICE OF INSPECTOR GENERAL\n                              FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                TECHNOLOGY SECURITY PROGRAM\n                                REPORT NUMBER A090126/O/T/F09011\n\n                                        INTRODUCTION\n\nInformation security threats to Federal agencies, including the General Services Administration\n(GSA), are growing and evolving. For example, the number of security related incidents\nreported by Federal agencies to the United States Computer Emergency Readiness Team (US-\nCERT) has increased significantly over the last three years. Information security is a critical\nconsideration for GSA as it carries out its mission, responds to the requirements of the American\nRecovery and Reinvestment Act of 2009 (Recovery Act), and works to implement transparency\nand open government initiatives to make Agency operations more transparent, participatory, and\ncollaborative. To meet its mission, GSA relies on a portfolio of 94 information systems with a\ntotal enacted budget in Fiscal Year (FY) 2009 of approximately $540 million. 4 GSA has\nestablished an agency-wide Information Technology (IT) security program, which is managed by\nthe Office of the Chief Information Officer (OCIO), to provide for the confidentiality, integrity,\nand availability of Agency information systems.\n\nAn agency-wide IT security program provides a management framework for ensuring that risks\nare understood and that effective controls are selected and properly implemented for Agency\ninformation systems. The Federal Information Security Management Act of 2002 (FISMA) is\nthe primary legislation governing Federal information security programs, and it builds upon\nearlier legislation through added emphasis on the management of information security. FISMA\ndirects agencies to develop, document, and implement an agency-wide information security\nprogram to provide information security for the operations and assets of the agency. FISMA also\ndirects Inspectors General (IGs) to perform an annual independent evaluation to determine the\neffectiveness of information security programs and practices of their respective agency. These\nevaluations are to include: (1) testing of the effectiveness of information security policies,\nprocedures, and practices of a subset of the agency\xe2\x80\x99s information systems; and (2) an assessment\nof compliance with FISMA requirements and related information security policies, procedures,\nstandards, and guidelines.\n\nThis audit report presents the results of the GSA Office of Inspector General\xe2\x80\x99s (OIG) FY 2009\nannual review of GSA\xe2\x80\x99s IT Security Program, and reflects results from system security audits\nconducted during the year in response to FISMA requirements. Appendix B provides a\ndescription of the select systems considered in our independent evaluation and Appendix C\nsummarizes key security control areas where we found that additional steps need to be taken to\nbetter manage risks for these specific GSA systems.\n\n\n\n\n4\n    As reported on the IT Dashboard.\n\n                                                1\n\x0c                                      RESULTS OF AUDIT\n\nGSA has taken steps to develop, document, and implement an agency-wide IT security program\nand also provide information security for the operations and assets managed by the Agency. The\nGSA Chief Information Officer (GSA-CIO) recently revised agency-wide IT security policy and\nhas published several new guides to support risk management activities for IT systems and to\naddress prior years\xe2\x80\x99 audit findings. We also noted improvements in the implementation of\nGSA\xe2\x80\x99s IT Security Program for select agency systems. However, we found areas where\nadditional improvements are needed in GSA\xe2\x80\x99s IT Security Program and instances where system\nsecurity officials\xe2\x80\x99 practices did not mitigate risks and protect sensitive Agency data and systems,\nas required. IT security findings for our annual FISMA review fall into four main areas: (1)\ncertification and accreditation of system controls, (2) internal application security, (3) security of\nsocial media technologies (e.g., blogs, wikis), and (4) oversight of systems provided by\ncontractors. Further, Appendix C summarizes key control areas where we found improvements\nwere needed to better manage risks for specific GSA systems, including for access control, audit\nlogging and monitoring, and secure configuration of system devices.\n\nWhile GSA has established a certification and accreditation (C&A) process that is based on\nFederal policy and guidance, implementation of this process by system owners has not ensured\nthat risks are managed or key information provided to support risk-based decisions. Specifically,\nwe identified applications processing sensitive information that were not covered under existing\nC&A\xe2\x80\x99s, and detailed information on the assessment procedures and methodologies employed to\ndetermine the adequacy of controls in place were not available for select systems. This resulted\nin security vulnerabilities that were not being addressed and impacted the ability of management\nand GSA\xe2\x80\x99s customer base to rely on approved controls to make informed decisions about system\nsecurity. Our audit work also identified several internal GSA applications with security control\nweaknesses, including with access controls, which provided anyone in the Agency the ability to\nview sensitive transactions and information, including personally identifiable and secure\nbuildings information. GSA is also implementing emerging social media technologies, such as\nblogs, to facilitate collaboration and sharing of information within the Agency and with the\npublic. We found a need to enhance oversight of these technologies to ensure that they meet\nGSA security requirements and that appropriate access controls are implemented for creating and\nposting Agency information. Finally, increased security and privacy program oversight of\ncontractor supported systems could provide additional assurance to GSA and customer agencies\nthat required security controls have been implemented and sensitive information is protected.\n\nUnder the Recovery Act, GSA has been given approximately $5.8 billion for construction and\nrenovation of Federal buildings and courthouses and improving the fuel efficiency of\ngovernment vehicles. This money must be spent with increased speed and transparency, and\nGSA will rely on its information systems to track, report, and manage Recovery Act funds and\ninformation. Working with system security officials across GSA to address the risk areas\nhighlighted in this report can better enable GSA to meet its security objectives and the\nrequirements of the Recovery Act with speed and transparency.\n\n\n\n\n                                                  2\n\x0cImprovements to Agency-wide Certification and Accreditation Processes Would Better Assist\nManagement and Provide Additional Information for Making Risk-based Decisions\n\nWhile GSA has established an agency-wide certification and accreditation (C&A) process based\non Federal policy and guidance, and all five of the select systems we reviewed had been certified\nand accredited, improvements in implementation of this process are needed in two main areas to\nensure that sensitive information and risks are being managed. First, as reported by the OIG last\nyear, 5 system C&As are not consistently ensuring that risks with minor applications 6 in GSA are\nbeing mitigated as needed. Specifically, we found that several internal Agency applications that\nstored or transmitted sensitive information were not covered by existing system security plans.\nFurther, for two of the five systems we reviewed, including the only \xe2\x80\x9chigh\xe2\x80\x9d risk system in GSA,\ndetails on the methods and procedures utilized to conclude on the effectiveness of security\ncontrols in place were not identified or documented as part of C&A activities. While\nimprovements have been made with implementation of GSA\xe2\x80\x99s C&A process, taking steps to\naddress these areas could provide vital information, support risk-based decisions, and protect\nsensitive information and electronic transactions.\n\nThrough a search of GSA\xe2\x80\x99s Intranet site, we identified several internal applications storing\nsensitive information that had not been included in existing system security plans. These\napplications were operating with security control weaknesses that permitted anyone with access\nto GSA\xe2\x80\x99s Intranet, including contractors, to view sensitive information. This access spanned\nPersonally Identifiable Information (PII), Sensitive but Unclassified (SBU) buildings\ninformation, and financial information (refer to the next section and Appendix D for additional\ninformation). Primary causes for these weaknesses were that GSA does not have a\ncomprehensive inventory of its internal applications and system security officials were unaware\nthat these applications had been developed and implemented. GSA\xe2\x80\x99s IT Security Policy requires\nall information systems, including minor applications, to be covered by a system security plan.\nFurther, FISMA requires agency information security programs to include subordinate plans for\nproviding adequate information security for networks, facilities, and systems, or groups of\nsystems, as appropriate.\n\nFor two of five systems we reviewed, including GSA\xe2\x80\x99s only \xe2\x80\x9chigh\xe2\x80\x9d risk system, assurances were\nnot provided in the C&A package regarding the methodologies and procedures utilized to\nconclude on the effectiveness of system controls. A primary cause for this was that contract\ndocuments for C&A services did not require this information. A lack of such information limits\nthe ability of GSA management and the Agency\xe2\x80\x99s customer base to rely on the C&A to make\nrisk-based decisions. National Institute of Standards and Technology (NIST) Special Publication\n(SP) 800-37 7 notes that agency officials should have the most complete, accurate, and\n\n\n\n\n5\n  FY 2008 Office of Inspector General FISMA Review of GSA\xe2\x80\x99s Information Technology Security Program, Report\nNumber A080081/O/T/F08016, September 11, 2008.\n6\n  NIST defines a minor application as an application, other than a major application, that requires attention to\nsecurity due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or\nmodification of the information in the application.\n7\n  NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May\n2004.\n\n                                                       3\n\x0ctrustworthy information possible on the security status of their information systems in order to\nmake timely, credible risk-based decisions.\n\nSecurity certification and accreditation encompass activities that are an integral part of GSA\xe2\x80\x99s IT\nrisk management process. Improving results for GSA\xe2\x80\x99s C&A process can provide additional\nsecurity for sensitive Agency information and systems. Specifically, we recommend that the\nGSA-CIO take actions to strengthen C&As for GSA systems by: (1) developing language to be\nincluded in C&A contracts for the provision of adequate details on methods used to conclude on\nthe effectiveness of system security controls and updating Agency security guidance\naccordingly; (2) enhancing oversight processes to ensure that detailed information on testing\nprocedures and methodologies is provided in system C&A packages; and (3) collaborating with\nsystem security officials to ensure that system boundaries and controls for minor applications are\nadequately considered with C&A activities.\n\nSecurity Controls for Internal GSA Applications Should Be Strengthened to Reduce Risks with\nSensitive Agency Information and Transactions\n\nGSA\xe2\x80\x99s Services/Staff Offices/Regions (S/SO/Rs) rely on internal applications to support Agency\noperations, and we found weaknesses in security controls for several of these applications. We\nfound applications that were available to anyone with access to GSA\xe2\x80\x99s Intranet site, which\npotentially includes several thousand employees and contractors. Further, these applications\nwere not always encrypting sensitive information that was being transmitted and stored inside of\nGSA. Appendix D provides a summary of the internal applications we identified where\nappropriate security controls were not in place and information that was placed at risk due to\ncontrol weaknesses.\n\nSpecifically, we found an internal Regional application providing access to shared SBU\ndrawings and other sensitive files for Federal buildings to anyone with access to GSA\xe2\x80\x99s Intranet.\nFor this same Region, another application used to input data to GSA\xe2\x80\x99s financial management\nsystem of record lacked appropriate access controls, enabling access to PII and the ability to\nsubmit transactions. System officials informed us that compensating controls were in place to\naddress these weaknesses. However, system controls to detect potential fictitious transactions\nsubmitted through this application were not documented or available for testing. In addition, we\nidentified several other internal applications supporting GSA Services and Staff Offices that\nwere not securely configured. For example, an application being used by the Federal Acquisition\nService (FAS) for management and tracking of system problem tickets, such as for user requests\nfor password resets or for problems with usability, permitted unauthorized access to anyone in\nGSA.\n\nAlong with weaknesses in access controls for internal applications, we identified sensitive\ninformation including PII, financial information, and SBU buildings information that was\navailable to those without a need to know. We found sensitive usernames and passwords and\nprogram code for specific GSA systems that was not adequately protected. If this information\nwere to be obtained by a malicious user, it could lead to identity theft, financial fraud, or harm to\nGSA\xe2\x80\x99s reputation. Further, while GSA has several protections in place to prevent a malicious\nindividual from gaining access to the Agency\xe2\x80\x99s internal network, if an outsider was able to\ncircumvent these protections, this information is not stored or restricted properly to prevent\n\n\n                                                 4\n\x0cunauthorized access that could disrupt GSA operations. Appropriate encryption and access\ncontrols would limit the ability of malicious internal or external users to gain access to this\ninformation.\n\nThere are three primary causes for these application security control weaknesses. First, system\nsecurity officials were not always aware that these applications were developed and put into\noperation on GSA\xe2\x80\x99s internal network. Second, a comprehensive inventory of internal\napplications, including the data maintained and functions performed by these applications, has\nnot been developed. Third, C&A\xe2\x80\x99s, particularly for general support systems, have not ensured\nthat risks with these types of applications are effectively managed. While GSA\xe2\x80\x99s IT Security\nPolicy requires that system access be granted on a need to know basis and that all information\nsystems incorporate proper user identification and authentication methodologies, these\napplications fell through the cracks. Further, data owners are required by the policy to ensure\nthat system access is restricted to authorized users in order to enforce job function alignment,\nsegregation of duties, and need to know. In addition, web application security guidance provided\nby the GSA-CIO notes that sensitive information should be encrypted and applications should\nuse secure transmission protocols.\n\nWith implementation of the Recovery Act, GSA has been provided approximately $5.8 billion to\nconstruct and renovate Federal buildings, as well as improve the fuel efficiency of the Federal\nfleet. Undertaking Recovery Act projects will require GSA to utilize internal applications to\ntrack and manage funds and other information. As such, ensuring that appropriate controls are\nimplemented to enforce segregation of duties and need to know for access to agency applications\nis critical to prevent fraud, waste, and abuse. We recommend that to enhance the security of\ninternal applications, the GSA-CIO work closely with Agency S/SO/Rs to: (1) develop and\nmaintain an inventory of internal applications, including the data maintained and functions\nperformed by these applications; (2) ensure that these applications, including those we have\nidentified in Appendix D, meet GSA security requirements; and (3) strengthen change\nmanagement procedures to better ensure that applications are put in operation with appropriate\nsecurity controls.\n\nEnhancing Oversight of Emerging Social Media Technologies Could Facilitate Secure\nCollaboration and Information Sharing Within GSA and With the Public\n\nTo meet goals for government that is more citizen-centered, transparent, participatory, and\ncollaborative and to facilitate collaboration and information sharing internally and with the\npublic, GSA has been implementing important social media technologies. Increased oversight\nand monitoring of these technologies is needed to ensure that only authorized individuals are\nable to create social media web sites in GSA and that sensitive Agency information is protected.\nWhile GSA has established a process to request, review, and approve the creation of internal and\npublic facing social media related sites, we found that anyone in GSA with a Lotus Notes e-mail\naccount, including contractors, was able to bypass this process and create sites on the internal\nGSA network. We also identified internal social media sites that lacked appropriate access\n\n\n\n\n                                               5\n\x0ccontrols, and a public facing wiki owned by GSA that had been the target of spam postings. 8\nPromptly after we informed system security officials of these vulnerabilities, steps were taken to\nfix the security weaknesses. While GSA recently developed detailed policy for the use of social\nmedia technologies, 9 these weaknesses demonstrate a need to take a more proactive approach to\nensure that this technology promotes secure collaboration and sharing of information within\nGSA and with the public.\n\nSocial media encompasses various activities that integrate technology, social interaction, and\ncontent creation. Examples of social media technologies include blogs, wikis, and social\nnetworking sites. Table II below provides a description of these technologies. GSA encourages\nthe use of social media technologies to enhance communication, collaboration, and information\nexchange in support of GSA\xe2\x80\x99s mission and the Agency has developed a number of internal and\nexternal blogs. For example, the Chief Financial Officer has developed an internal blog to\nprovide a forum for expanding communications on performance management, planning,\nbudgeting, and financial management.\n\n                                Table II. Select Social Media Technologies 10\n\n          Social Media Technology                                    Description\n                                             A web based forum with regular entries of commentary,\n                                             descriptions of events, or other materials where the blog\n                      Blog\n                                             host posts material on the website and others may provide\n                                             comments.\n                                             A collection of web pages that encourages users to\n                      Wiki\n                                             contribute or modify content.\n                                             Tools used to connect people who share the same interests\n          Social networking services\n                                             or activities.\n                                             A way of publishing audio files on the web so they can be\n                     Podcast\n                                             downloaded to portable listening devices.\n\nThere were three primary causes for security weakness with GSA\xe2\x80\x99s use of social media\ntechnology. First, C&A for the component of GSA\xe2\x80\x99s Lotus Notes infrastructure that provides the\ncapability to create and manage social media related sites is still in the process of being\ncompleted. As such, security controls assessment for these sites had not yet been completed.\nSecondly, at the time of our testing, GSA had not finalized detailed policy and procedures for the\ncreation, use, and maintenance of social media sites. As previously noted, GSA has since\ndistributed policies and procedures for the use of social media technologies. A general condition\nthat contributed to these weaknesses was that agency officials were not performing\ncomprehensive oversight of internally generated social media sites.\n\n\n\n\n8\n  Spam postings are unsolicited bulk messages that often contain malware. Malware refers to a program that is\ninserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability\nof the victim\xe2\x80\x99s data, applications, or operating system.\n9\n  GSA Order CIO 2106.1, GSA Social Media Policy, July 17, 2009; GSA Order CIO P 2106.2, GSA Social Media\nHandbook, July 17, 2009.\n10\n   GSA Order CIO P 2106.2, GSA Social Media Handbook, July 17, 2009.\n\n                                                            6\n\x0cAs a result of the weaknesses that we identified with GSA\xe2\x80\x99s use of social media technologies,\nthere was increased risk that users could create sites for malicious purposes. Further, weak\naccess controls for internal blogs can lead to users posting misleading information and\nimpersonating authorized GSA officials. This could harm GSA\xe2\x80\x99s reputation and provide an\navenue for phishing 11 attacks. GSA\xe2\x80\x99s IT Security Policy requires all information systems to be\ncertified and accredited and have access controls implemented to authorize or restrict the\nactivities of users and system personnel to authorized transactions and functions. In addition,\nGSA\xe2\x80\x99s Social Media Handbook notes that requests to create blogs must be approved by the\nRegional Administrator or Head of a Service or Staff Office.\n\nSocial media technologies are important tools to enhance communication, collaboration, and\ninformation exchange in support of GSA\xe2\x80\x99s mission. These technologies are also important to\nmake Agency operations more transparent, participatory, and collaborative. To facilitate secure\ncollaboration and information sharing within GSA and with the public, we recommend that the\nGSA-CIO take actions to: (1) review all Agency-operated social media sites to ensure that\nappropriate access controls are established for creation and maintenance of such sites; (2)\nincorporate the Agency\xe2\x80\x99s social media policy into security awareness training and rules of\nbehavior; and (3) ensure that periodic security reviews of social media sites are performed.\n\nStrengthening Oversight Processes is Needed to Ensure the Security of Contractor Supported\nSystems\n\nWhile GSA\xe2\x80\x99s IT Security Program has established processes to provide oversight of systems\nsupported by contractors, improvements are needed to ensure that sensitive Agency and\ncustomer information is protected. For two of the five systems we reviewed, we found that\nsystem security officials had not ensured that all contractors supporting GSA systems had been\nprovided with security awareness and privacy training. We also found that required privacy\nclauses were not included in contract documents for Privacy Act systems and that management\nattention was needed to prioritize ongoing efforts to analyze and mitigate the use of non-\ngovernment domains for GSA systems provided by contractors. GSA, like other Federal\nagencies, relies on contractors for systems development, maintenance, and operation for select\nsystems managed by the Agency. Over half of the systems listed on GSA\xe2\x80\x99s FISMA inventory\nare classified as \xe2\x80\x9ccontractor\xe2\x80\x9d systems, including those offered as managed services that support\nother Federal agencies. Ensuring that these systems meet GSA security requirements is\nimportant to achieving GSA\xe2\x80\x99s mission and for protecting sensitive Agency and customer\ninformation.\n\nGSA provides security awareness and privacy training through GSA Online University to\nAgency associates and contractors that have Lotus Notes GSA e-mail addresses. However, not\nall contractors directly supporting Agency systems have these e-mail addresses. While\ncontractors are oftentimes provided with security awareness and privacy training from their\nemployer, system officials have not ensured that this training meets GSA requirements. Further,\nGSA does not yet have a complete inventory of contractors with significant privacy information\n\n\n11\n  Phishing refers to tricking individuals into disclosing sensitive personal information through deceptive computer-\nbased means. To perform a phishing attack, an attacker creates a web site or e-mail that looks as if it is from a well-\nknown organization.\n\n                                                           7\n\x0cresponsibilities, which makes it difficult to identify those individuals who should take requisite\ntraining. In addition, for two Privacy Act systems we reviewed, security officials did not\nperform adequate oversight to ensure that appropriate privacy clauses were included in\nassociated contracts. As a result, GSA may be unable to hold contractors accountable for any\ndeviations from security or privacy policies. Further, contractors may be unaware of their\nresponsibilities to secure GSA systems and data. GSA\xe2\x80\x99s IT Security Policy requires all GSA\nemployees and contractors to complete annual security awareness and privacy training and that\nall Agency contracts involving Privacy Act information include appropriate privacy clauses.\n\nFor two of the five systems we reviewed that were provided by contractors as managed service\nofferings to GSA and several other Federal organizations, we found that these systems were not\nhosted on official government approved domains. Specifically these two systems were hosted on\ncommercial domains (.com) versus official government domains (e.g., .gov, Fed.us, or .mil). A\nprimary cause for this is that GSA has not yet made a determination if Agency systems that are\nhosted on commercial domains should be migrated to approved government domains. As a\nresult, there is a greater risk that users of these systems would be susceptible to phishing attacks,\nand GSA may not be able to take advantage of security improvements with the Federal\ngovernment\xe2\x80\x99s Domain Name System Security (DNSSEC) initiative.12 OMB Memorandum M-\n05-04 13 states that agencies must use only .gov, .mil, or Fed.us domains unless the agency head\nexplicitly determines another domain is necessary for the proper performance of an agency\nfunction.\n\nWith the many systems in GSA that are supported by contractors for the Agency, it is important\nfor GSA\xe2\x80\x99s IT Security Program to ensure that oversight mechanisms are strengthened to ensure\nthat these systems meet security requirements. This is of increased importance as contractor\nsupported systems in GSA are provided to several other Federal organizations. To strengthen\noversight of contractor supported systems, we recommend that the GSA-CIO work with the\nChief Human Capital Officer, Chief Acquisition Officer and other Agency officials, as\nappropriate, to: (1) develop an inventory of contractors supporting GSA IT systems that have\nsignificant privacy information responsibilities; (2) ensure that appropriate security awareness\nand privacy training is provided to contractors supporting GSA systems, including role-based\ntraining for contractors with significant privacy information responsibilities; (3) prioritize\nongoing efforts to analyze and mitigate the use of non-government domains for GSA systems by\nfocusing on systems provided by contractors as managed service offerings; and (4) ensure that\nappropriate privacy clauses are included in contracts, statements of work, and task orders for\nPrivacy Act systems.\n\n\n\n\n12\n   For more information, see OMB Memorandum M-08-23, Securing the Federal Government\xe2\x80\x99s Domain Name\nSystem Infrastructure, August 22, 2008.\n13\n   OMB Memorandum M-05-04, Policies for Federal Agency Websites, December 17, 2004.\n\n                                                  8\n\x0cCONCLUSIONS\n\nInformation security is a critical consideration for GSA as it carries out its mission and responds\nto the requirements of the Recovery Act. Information security is also important as GSA works to\nimplement transparency and open government initiatives to make Agency operations more\ntransparent, participatory, and collaborative. GSA has taken steps to develop, document, and\nimplement an agency-wide IT security program and provide information security for the\noperations and assets of the Agency. Further, we noted improvements in system officials\nimplementation of GSA\xe2\x80\x99s IT Security Program. However, additional improvements are needed\nwith GSA\xe2\x80\x99s IT Security Program and systems officials\xe2\x80\x99 implementation practices to protect\nsensitive Agency and customer information and manage risks in four main areas: (1)\ncertification and accreditation of system controls, (2) internal application security (3) security of\nsocial media technologies (e.g., blogs, wikis), and (4) oversight of systems provided by\ncontractors. Addressing these four areas could better enable GSA to meet its security objectives\nand the requirements of the Recovery Act with speed and transparency.\n\nRECOMMENDATIONS\n\nTo improve GSA\xe2\x80\x99s IT Security Program and better ensure the security of Agency systems, data,\nand operations, we recommend that the GSA Chief Information Officer take actions to:\n\n   1. Strengthen system certification and accreditation (C&A) processes by:\n\n           a. Developing language to be included in C&A contracts for the provision of\n              adequate details on methods used to conclude on the effectiveness of system\n              security controls and updating Agency security guidance accordingly.\n           b. Enhancing oversight processes to ensure that detailed information on testing\n              procedures and methodologies is provided in system C&A packages.\n           c. Collaborating with system security officials to ensure that system boundaries and\n              controls for minor applications are adequately considered with C&A activities.\n\n   2. Enhance the security of internal applications by working with GSA Services/Staff\n      Offices/Regions to:\n\n           a. Develop and maintain an inventory of internal applications, including the data\n              maintained and functions performed by these applications.\n           b. Ensure that these applications, including those we have identified in Appendix D,\n              meet GSA security requirements.\n           c. Strengthen change management procedures to better ensure that applications are\n              put in operation with appropriate security controls.\n\n   3. Improve security of GSA\xe2\x80\x99s social media technologies, such as blogs and wikis, by:\n\n           a. Reviewing all Agency-operated social media sites to ensure that appropriate\n              access controls are established for creation and maintenance of such sites.\n           b. Incorporating the Agency\xe2\x80\x99s social media policy into security awareness training\n              and rules of behavior.\n           c. Ensuring that periodic security reviews of social media sites are performed.\n\n                                                 9\n\x0c   4. Work with the Chief Human Capital Officer, Chief Acquisition Officer, and other\n      Agency officials, as appropriate, to enhance the security of systems supported by\n      contractors by:\n\n           a. Developing an inventory of contractors supporting GSA IT systems that have\n              significant privacy information responsibilities.\n           b. Ensuring that appropriate security awareness and privacy training is provided to\n              contractors supporting GSA systems, including role-based training for contractors\n              with significant privacy information responsibilities.\n           c. Prioritizing ongoing efforts to analyze and mitigate the use of non-government\n              domains for GSA systems by focusing on systems provided by contractors as\n              managed service offerings.\n           d. Ensuring that appropriate privacy clauses are included in contracts, statements of\n              work, and task orders for Privacy Act systems.\n\nMANAGEMENT COMMENTS\n\nThe GSA-Chief Information Officer concurred with the audit findings and recommendations\noutlined in this report. A copy of the Chief Information Officer\xe2\x80\x99s comments is included in its\nentirety in Appendix E.\n\nINTERNAL CONTROLS\n\nAs discussed in the Objective, Scope, and Methodology section of our report (see Appendix A),\nthe objective of our audit was to determine if the General Services Administration (GSA) has\ndeveloped, documented, and implemented an agency-wide information security program to\nprovide information security for the data and systems that support the operations and assets of\nthe Agency. If not, what additional actions are needed to strengthen information security risk\nmanagement practices for GSA? While this audit included a review of elements of GSA\xe2\x80\x99s IT\nSecurity program including select management, operational, and technical controls for five GSA\nsystems, we did not test all controls across the Agency. The Results of Audit and\nRecommendations sections of this report state, in detail, the need to strengthen specific processes\nand controls established with GSA IT Security Program through collaboration with officials\nacross the Agency.\n\n\n\n\n                                                10\n\x0c                            FY 2009 OFFICE OF INSPECTOR GENERAL\n                            FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                              TECHNOLOGY SECURITY PROGRAM\n                              REPORT NUMBER A090126/O/T/F09011\n\n                APPENDIX A - OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine if the General Services Administration (GSA) has\ndeveloped, documented, and implemented an agency-wide information security program to\nprovide information security for the data and systems that support the operations and assets of\nthe Agency. If not, what additional actions are needed to strengthen information security risk\nmanagement practices for GSA? We focused our review on the implementation of processes\nestablished with GSA\xe2\x80\x99s Information Technology (IT) Security Program to manage risks for\nselect Agency IT systems. As such, we reviewed policies, procedures, technical guides, and\nstandards established with GSA\xe2\x80\x99s IT Security Program to provide information security for the\nAgency\xe2\x80\x99s information resources and assets 14 . We also reviewed policies established for GSA\xe2\x80\x99s\nPrivacy Program and for protection of Sensitive but Unclassified (SBU) buildings information 15 .\nWe assessed the implementation of GSA\xe2\x80\x99s IT Security Program for five select Agency systems.\nAppendix B provides additional information on the systems reviewed. For these select systems,\nwe conducted security audits to determine whether management, operational, and technical\ncontrols had been implemented to effectively manage risks in accordance with the Federal\nInformation Security Management Act and GSA\xe2\x80\x99s IT Security Program.\n\nTo gain an understanding of GSA\xe2\x80\x99s IT Security Program and the implementation of controls for\nselect Agency systems, we met with GSA IT security officials in the Office of the GSA Chief\nInformation Officer and in Services, Staff Offices, and Regions (S/SO/R), including the Federal\nAcquisition Service, Public Buildings Service, Office of the Chief Human Capital Officer, and\nOffice of the Chief Financial Officer. We also met with the GSA Chief Information Officer,\nSenior Agency Information Security Officer, and security officials for the select systems we\nreviewed. We also met with GSA\xe2\x80\x99s external auditor, KPMG, and considered results of\ninformation systems controls testing performed for the financial statement audit with our FISMA\nreviews.\n\nIn our review of GSA\xe2\x80\x99s IT Security Program, in addition to Agency policies and procedures, we\nevaluated the implementation of information security program elements from National Institute\nof Standards and Technology (NIST) Special Publication (SP) 800-100, Information Security\nHandbook: A Guide for Managers, October 2006. To assess security controls, we applied the\n\n\n14\n   GSA Order CIO P. 2100.1D, GSA Information Technology Security Policy, June 21, 2007; GSA Order CIO\n2106.1, GSA Social Media Policy, July 17, 2009; GSA Order CIO P 2106.2, GSA Social Media Handbook, July 17,\n2009; GSA Directive CIO 2100.3A, IT Security Training Requirement for Agency and Contractor Employees with\nSignificant Security Responsibilities, June 26, 2008; GSA Order CIO 2104.1, GSA Information Technology (IT)\nRules of Behavior, July 3, 2003; and various procedural and technical guides and standards established by the GSA-\nCIO.\n15\n   GSA Order CPO 1878.1, GSA Privacy Act Program, October 27, 2003; GSA Order CPO 1878.2, Conducting\nPrivacy Impact Assessments (PIAs) in GSA, May 28, 2004; GSA Order HCO 9297.2A, GSA Information Breach\nNotification Policy, February 26, 2009; and PBS Order 3490.1A , Document Security for Sensitive but Unclassified\nBuilding Information, June 1, 2009.\n\n                                                      A-1\n\x0cNIST Federal Information Processing Standards (FIPS) Publication 16 and SP 800 series security\nguidelines. We also utilized other applicable regulations, policies, and guidance, including OMB\nCircular A-130, Appendix III, Security of Federal Automated Information Resources, November\n2000; and the following OMB memoranda: M-05-04, Policies for Federal Agency Public\nWebsites, December 17, 2004; M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, May 22, 2007; M-07-11, Implementation of Commonly\nAccepted Security Configurations for Windows Operating Systems, March 22, 2007; and M-08-\n05, Implementation of Trusted Internet Connections (TIC), November 20, 2007.\n\nTo assess the effectiveness of GSA\xe2\x80\x99s IT Security Program implementation, we examined system\ncertification and accreditation packages, including system risk assessments, security plans,\nsecurity assessment results, contingency plans, and system-and program-level plans of action and\nmilestones.     We conducted vulnerability scanning and database and web application\nconfiguration testing for the select systems we reviewed. We manually tested specific security\ncontrols for social media websites, such as blogs and wikis, and various internal applications.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards between February and August of 2009. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n16\n  FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems,\nFebruary 2004; FIPS Publication 200, Minimum Security Requirements for Federal Information and Information\nSystems, March 2006.\n\n                                                      A-2\n\x0c                       FY 2009 OFFICE OF INSPECTOR GENERAL\n                       FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                         TECHNOLOGY SECURITY PROGRAM\n                         REPORT NUMBER A090126/O/T/F09011\n\nAPPENDIX B \xe2\x80\x93 SELECT GSA SYSTEMS CONSIDERED IN THE OIG\xe2\x80\x99S FY 2009 REVIEW\n        OF GSA\xe2\x80\x99S INFORMATION TECHNOLOGY SECURITY PROGRAM\n\n       APPENDIX C \xe2\x80\x93 SUMMARY OF NIST SP 800-53 CONTROL AREAS WHERE\n          ADDITIONAL STEPS ARE NEEDED TO BETTER MANAGE RISKS\n          FOR THE SELECT SYSTEMS REVIEWED BY THE OIG IN FY 2009\n\n         APPENDIX D \xe2\x80\x93 SUMMARY OF SECURITY CONTROL WEAKNESSES\n                IDENTIFIED IN INTERNAL GSA APPLICATIONS\n\n\nDue to the sensitive nature of information contained appendices B-D, only reports provided\nto system security officials and the GSA Office of the Chief Information Officer contain the\ndetails of the appendices. Requests for the details of the appendices should be referred to\nthe Deputy Assistant Inspector General for Information Technology Audits.\n\n\n\n\n                                       B-1; C-1; D-1\n\x0c       FY 2009 OFFICE OF INSPECTOR GENERAL\n       FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n         TECHNOLOGY SECURITY PROGRAM\n         REPORT NUMBER A090126/O/T/F09011\n\nAPPENDIX E \xe2\x80\x93 GSA-CIO\xe2\x80\x99S RESPONSE TO DRAFT REPORT\n\n\n\n\n                       E-1\n\x0c                                  FY 2009 OFFICE OF INSPECTOR GENERAL\n                                  FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                    TECHNOLOGY SECURITY PROGRAM\n                                    REPORT NUMBER A090126/O/T/F09011\n\n                                   APPENDIX F \xe2\x80\x93 REPORT DISTRIBUTION\n\n                                                                                                                               Copies\n\nWITH APPENDICES B-D\n\nChief Information Officer (I) .......................................................................................................3\n\n       Office of the Senior Agency Information Security Officer (IS) .........................................1\nCommissioner, Public Buildings Service (P)...............................................................................1\n\nCommissioner, Federal Acquisition Service (Q) .........................................................................1\n\nChief Financial Officer (B) ..........................................................................................................1\n\nChief Human Capital Officer (C) ................................................................................................1\n\nChief Acquisition Officer (V) ......................................................................................................1\n\nRegional Administrator, Great Lakes Region (5A) .....................................................................1\n\n\nWITHOUT APPENDICES B-D\nInternal Control and Audit Division (BEI) ..................................................................................1\n\nAssistant Inspector General for Auditing (JA and JAO) .............................................................2\n\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F) ..................1\n\nDeputy Assistant Inspector General for Real Property Audits (JA-R) ........................................1\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A) ...........................................1\n\nRegional Inspector General for Auditing (JA-5) .........................................................................1\n\nAdministration and Data Systems Staff (JAS).............................................................................1\n\nAssistant Inspector General for Investigations (JI) ......................................................................1\n\n\n\n\n                                                                  F-1\n\x0c'